Authorization Examples
By default, if a principal does not have an explicit ACL that allows access for an operation to a resource, access requests from the principal will be denied.
The following examples show how to add, remove, and list ACLs.
Grant Read/Write Access to a Topic
To add the following ACL:
"Principals user:bob and user:alice are allowed to perform Operation Read and Write on Topic Test-Topic from Host1 and Host2"
run the CLI with the following options:
bin/kafka-acls.sh --add --allow-principal user:bob --allow-principal user:alice
--allow-host host1 --allow-host host2 --operation Read --operation
Write --topic test-topic
Grant Full Access to Topic, Cluster, and Consumer Group
To add ACLs to a topic, specify --topic <topic-name> as the resource
option. Similarly, to add ACLs to cluster, specify --cluster; to add ACLs to a
consumer group, specify --consumer-group <group-name>.
The following examples grant full access for principal bob to topic
test-topic and consumer group 10, across the cluster. Substitute
your own values for principal name, topic name, and group name.
bin/kafka-acls.sh --topic test-topic --add --allow-principal user:bob --operation
ALL --config /usr/hdp/current/kafka-broker/config/server.properties
bin/kafka-acls.sh --consumer-group 10 --add --allow-principal user:bob --operation
ALL --config /usr/hdp/current/kafka-broker/config/server.properties
bin/kafka-acls.sh --cluster --add --allow-principal user:bob --operation ALL
--config /usr/hdp/current/kafka-broker/config/server.properties
Add a Principal as Producer or Consumer
The most common use case for ACL management is to add or remove a principal as producer or consumer. The following convenience options handle these cases.
To add user:bob as a producer of Test-topic, run the following
command:
bin/kafka-acls.sh --add --allow-principal user:bob --producer --topic
test-topic
Similarly, to add user:alice as a consumer of test-topic with
consumer group group-1, pass the --consumer
option.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
When using the consumer option you must specify the consumer group. |
bin/kafka-acls.sh --add --allow-principal user:bob --consumer --topic test-topic
--consumer-group group-1
Deny Access to a Principal
In rare cases you might want to define an ACL that allows access to all but one or more
principals. In this case, use the --deny-principal and --deny-host
options.
For example, to allow all users to read from test-topic
except user bob from host
bad-host:
bin/kafka-acls.sh --add --allow-principal user:* --allow-host * --deny-principal
user:bob --deny-host bad-host --operation Read --topic
test-topic
Remove Access
Removing ACLs is similar to adding ACLs. The only difference is that you need to specify
the --remove option instead of the --add option.
To remove the ACLs for principals bob and alice (added in "Grant Read/Write Access to a Topic"), run the CLI with the following options:
bin/kafka-acls.sh --remove --allow-principal user:bob --allow-principal user:alice
--allow-host host1 --allow-host host2 --operation Read --operation
Write --topic test-topic
Similarly, to remove a principal from a producer or consumer role, specify the
--remove option instead of --add:
bin/kafka-acls.sh --remove --allow-principal user:bob --producer --topic
test-topic
List ACLs
To list ACLs for any resource, specify the --list option with the resource.
For example, to list all ACLs for Test-topic, run the CLI with following options:
bin/kafka-acls.sh --list --topic test-topic
Configure Authorizer Settings
To specify which authorizer to use, include the --authorizer option. For
example:
--authorizer kafka.security.auth.SimpleAclAuthorizer ...
To specify one or more authorizer initialization settings, include the --authorizer-properties option; for example:
--authorizer-properties zookeeper.connect=localhost:2181 ...